Punters' password hints are easily extracted from the latest Microsoft Windows machines, security researchers have discovered.
TrustWave SpiderLabs uncovered a key called "UserPasswordHint" during wider research into how the Redmond operating system stores password hashes. Subsequent studies showed it was easy to extract and …

Who cares?

If your password hint is so weak (and by that I mean revealing) that the average person would be able to guess your password from the hint alone, then a physical attacker will guess it just the same.

Besides, if some haxor has access to your machine, then you have worse things to worry about. Who cares about something that is already available to anyone who enters your password incorrectly a few times.

Re: re "You might want to encrypt that"

Enter the wrong word too many times, and the infiltrator is end-fill-traded, or quadrapalegicized.... That'll teach those who have direct access with nefarious intentions...

(OTOH, this might be a way for prison wardens to outsource select convicts and thin out their prisons. Or, might be a way for people to pay off their debts to society. Or, for crooked execs to serve time. hack the worng cmopteur, thye severe theri onw bainr stme....)

Surely if an intruder has access the password hints then the damage is already done!!!

Not if the hints are on a shared system. If you must have hints, they should probably be separated from the systems which control access.

The problem is that hints make things less secure, which is probably not an issue for individuals with machines at home, but introduce the facility to an enterprise and you've got thousands of hints for an admin to go through.

This is a problem for non-repudiation. An admin can mess with data but that leaves an audit trail. If they can narrow the odds with hints and login using someone-else's username and password, that is a major security issue. Login as another user, fire up Outlook and send a cryptographically-signed email to a third party, divulging company secrets and booking an entire brothel for the finance group Christmas party.

That said, instead of asteroids, you could use zero's, which given the padding, would be amusing in a nerdy way.

Let's hope its off by default. I hope the drive to reduce password reset work doesn't override security considerations.

"Wait, aren't you the guy who always says how horrible all Microsoft products are?" -- I wouldn't go that far, I have a Microsoft mouse that seems to work, other than that... besides, my distaste for Microsoft's software gives people like you a reason to use the troll icon otherwise you may have to resort to the drunken tramp icon indefinitely.

It also may surprise you to learn that I do operate a Windows based PC, for the sole purpose of running steam (hopefully this will change in the near future)

Penguin Icon, partly because Penguins are cute and partly because I was on auto-troll when I wrote the comment and used my favoured icon.

Re: Linux has a "registry".

We don't randomly copy bits of them from HKLOCALMACHINE to CURRENTCONTROLSET or whatever either.

Its also far smaller and usually documented inline too. It is actually possible to understand the contents of /etc.

Personally though, I prefer the $APPHOME, system, with etc, bin, data under that. The desktop is inherently complex, but there is no excuse for mixing server application data with system data. Whatever you say about the Lotus Notes desktop, the server end is dead easy to migrate (or at least it used to be) on linux.

Much of those millions spent on corporate vmware is to wrap up apps into an easily movable bundle, because you have no idea what the application really needs and what data it stuck where in the registry.

Basic error in the system!

In the beginning there was no password, just turn on the computer. Then someone decided that a standalone desktop in a one-person office and unconnected to anything other than the AC mains needed a password mostly because the "big guys" use passwords. So I have to tell myself I am me before I can work. Every day for almost 20 years. And I am cautioned not to write it down.

Fast forward to now (i.e. Spaceballs recursion scene) - passwords for all kinds of things many of which don't need protection from anything - and the passwords expire every three months and have to be reset, use nonsense strings, non-ASCII characters, at least eight letters four numbers mix upper and lower case - and tell me, I dare you - that you can REMEMBER all of them . . . so we put them into our browser, and when it crashes (what? browsers CRASH??) all the passwords are now gone and you get to start again, reset everything, all the hints, all the passwords, all the access codes, the works. And remember, don't write it down because someone might read it. Oh yeah, and NEVER use the same password for everything. So we have to memorize multiple and constantly changing streams of random letters (UC & LC) and numbers, each one of which is different for each and every password protected site we go to . . . and we are cautioned not to make the password socially engineerable by using anything we CAN remember, like our wife's name or whatever.

The result is that we HAVE to write it down - we wind up with a yellow pad with ALL the passwords and the sites they access so that when the magic electrons won't cooperate today, we can still use our computers.

We need a reset on authentification procedures - we need a better way to determine that we are who we say we are, something that doesn't need long lists of random characters which change, are easily mistyped, and cannot be remembered unless you . . . write them down . . . and keep the list somewhere convenient (i.e. near the computer), which sort of defeats the whole purpose, doesn't it?

Ok, if we're so smart, how about we figure out a way to fix this mess? The paradigm (had to use that word, this is after all a computer related discussion) of user name plus password is BROKEN and does not work if the poor user (who paid for all this junk and just wants to use the computer) doesn't have a photographic memory or a USB socket in the back of the skull to plug in the dongle with the passwords on it.

Re: Basic error in the system!

Sez it all.

Microsoft tried to solve this with "Passport" - it went nowhere, largely because people didn't want MS in control. Something like this is desperately needed - but as we now know, any company providing this service becomes a target of attack, and it's only a matter of time...

Re: @Graham

Re: NOT 12345

Nothing like a bluff to confuse everyone, shame the hint isn't displayed when there is just one more attempt before your account is disabled, you can just imagine some would be hacker trying to figure out if you are thick/irreverent, bluffing, double bluffing, triple bluffing ....

Re: How?

Just for my edification, use $Google to search for 'my first pet' or 'my favorite teacher' or any other standard password reset type of question and tell me that the 'net isn't full of easy-to-find answers.

Re: How?

"Only close friends could do that"

Except that it wouldn't be at all unusual to be able to look back a few years on someone's Facebook and find the "Here's Schinkenstern running around in his little plastic ball" vids. And there's more than a few people in my area who know the name of my first pet, because I've met them whilst walking the aforesaid puppy. Of course that means I wouldn't be stupid enough to use the dog's name as a password, but I'm sure there are people who would.

Come to that, mother's maiden name is a particularly stupid choice of security measure too, given that there's an absolute ton of ancestry sites out there now, all using publicly-available information to tell you this stuff.

Re: How?

> How can anyone guess your first pet?

Social engineering.

Email a group of people including your target and relate a "funny story" about a porn name (name of first pet + road you lived on). Ask what other peoples porn names are. Include a couple email addresses that you control and use them to respond with so as to gain some momentum. There is a good chance your target will respond, especially if there are a couple of responses from people the target knows.

Re: How?

> How can anyone guess your first pet?

No need to guess, trivial to find out pretty much anything about some people, just ask them. Create a website that promises the earth but requires free registration, collect that data and assuming you can drive a particular person or random people to register you will end up with email addresses, DOB, a password that will have a 90% probability of being a password they use on everything, including their email password from which you could get pretty much anything. True many times you'd end up with a lot of false information but there is no doubt you'd pull some valid info too.

Personally I use a mail alias for everything I sign up for, never use my real details apart from essentials and everything has a separate password but for stuff I don't care about it is something be derived from.

stored obscured with the addition of zeros

Re: stored obscured with the addition of zeros

Thank goodness someone pointed this out. The original Spider Labs post (linked to in the article) is hilarious in its discussion of "chunk[ing] up their payload data into individual characters and then encod[ing] them in their ASCII numerical representation". A rather long-winded way to say "I know so little about Windows that I didn't understand a hex dump of UTF-16, which Windows has used since NT 1.0".[1]

And minus a point to John Leyden for not catching this - as soon as I saw that "obscured with zeroes" line I guessed the Spider Labs author simply didn't recognize LE UTF-16.

[1] OK, in NT 1.0 it was UCS-2, not UTF-16. Indistinguishable in this context.

Hint indeed

I agree. I never bother with the hint, though I suppose if you had a password locker on your phone that had an ID field you could hint 1, 2, 3 etc.

I just use moomins.

Then again, I worked for a company that provided a service for IBM so we had to have annual security reviews. Mine was one of 2 passwords the consultant could not get after a 3 day brute force from within the domain.

I can't use the one I had at Uni any more because of these restrictions that you must have numbers and letters and or mixed case etc. Well, I could but they also say between X and Y characters and "yellow flavoured doors" is a bit outside the max length of most.

Re: Doh!

"In first looking at the storage location here, I was a little disappointed thinking that the hint was encrypted in some way until I noticed the pattern of zeros. Having dealt with a fair amount of PHP malware in the last couple months, one of things the “baddies” do is chunk up their payload data into individual characters and then encode them in their ASCII numerical representation."

Re: This is not a security hole: if you can access this you already have complete access

Yep. I've been in places where the spare keys are kept in the safe. Not the only set of spares, but a set for easy access if you need to keep a master copy, assistants copy or whatever safe while someone is away.

Try this one

Thus opens a favourite novel, at least it does when translated into my childhood fantasy language Hallon. There is a website explaining about the language, the spooks will have access to some more vocabulary from emails I have exchanged with friends, and so would be able to make a fragmentary translation, enough to identify the text and so identify the English word corresponding to the missing word in the text, which is required to be filled in as the password.

Therein lies the problem. For the word in question has never been written down or emailed.to anybody so there is nothing to guide the spooks - or the hackers - to what the translation may be.

I like to see the study on....

For some value of 'hint'

I was house-sitting for a friend a few years ago and she asked me to sort out some issues with her laptop, which was more often put to sleep than shut down, while I was there. At one point a Windows Update caused the machine to reboot and I was left at the login screen with no idea as to her credentials. I tried the obvious -- pets' names, kids' names, no password at all -- but came up blank. The password hint was three alphabetic characters, which I guessed meant something significant to my friend but not to me. I was >< this close to phoning her up and asking her what her password was when I had a sudden revelation. I tried the three-character hint AS the password. Straight in.

Sometimes you have to stop thinking like the IT guy and start thinking like a user.

Re: For some value of 'hint'

Too many passwords...

I have to remember at least 50 different passwords, which isn't humanly possible as they ALL insist on being changed regularly and most have password rules that aren't even compatible. And no, I don't think it is a good idea to use the same sort of password for most systems, like having one key that fits all your locks. So, I've written my own encryption algorhitm and have them all in a file on the server. Anybody could see the file, but the file is randomly encrypted to 100 levels deep with the master password encrypted differently somewhere in the file, I think I'm pretty safe. No hints needed.

It's just password madness lately. That is why a lot of people have their passwords on Post-its stuck to their screen... mad.